Production-ready Google Drive + OneDrive/SharePoint Sync and Write-back

Somebody on the team says: "Let's just sync their Google Drive."

And you think — sure, how hard can it be? OAuth, list some files, download them. Maybe a webhook for changes. Toss in OneDrive for the enterprise crowd. Ship it by Friday.

I spent the better part of a month learning exactly how hard it can be. I evaluated 17 vendors, read more OAuth documentation than any human should, got intimately familiar with Google's compliance process, and emerged with a map of the trade-off space that I wish had existed when I started.

This is that map.

The Impossible Hexagon

Here are six things you'd like to be true simultaneously:

Bulk recursive background sync for Google Drive AND OneDrive/SharePoint
Skip Google's restricted-scope verification (the dreaded CASA audit)
Skip admin consent for Microsoft Graph
Stay fully white-label — no third-party branding on consent screens
Spend less than $300/mo on third-party tooling
Minimize user friction — no multi-step consent flows

You cannot have all six. One or more constraints must bend. The entire article is about choosing which ones.

I call this the Impossible Hexagon because it sounds dramatic and because I spent enough time staring at it on a whiteboard that it deserves a name.

Two Roads Diverged in a Cloud Storage Wood

Every real-world implementation falls into one of two paths. There is no third path. I checked.

Path 1 — The Admin Bypass (Enterprise / B2B)

This is the elegant path if your users have IT departments. An admin performs a one-time "moment of consent":

Google Workspace: Domain-Wide Delegation via a Service Account — your app impersonates users without them ever seeing an OAuth screen
Microsoft 365: Admin-granted Application Permissions in Entra ID — same idea, different console

After that moment, your backend crawler runs quietly in the background. No per-user OAuth. No CASA audit. No consent screens. Just changes.list and delta queries chugging along.

The catch? You need an IT admin who trusts you enough to hand over the keys. For consumer products, this path doesn't exist.

DWD caveat (March 2026): Google has been tightening domain-wide delegation guidance and encouraging more granular alternatives. Some security-conscious enterprises are moving away from blanket DWD toward more constrained service account patterns. B2B onboarding should anticipate that some prospects' IT teams may push back on DWD — plan a fallback conversation and consider offering granular scope restrictions as an alternative.

Path 2 — Consumer Self-Serve

For products where individual users connect their own Drive or OneDrive, you're in the trenches. Three options, ranked:

	Approach	Cost	Timeline	The Verdict
C	Pipedream Connect	< $300/mo	~2–3 weeks	Recommended near-term — fast, good enough
A	Build direct with Nango	< $100/mo	~10–15 weeks	Best long-term — own everything
B	Premium managed auth	$600+/mo	~4–6 weeks	Skip it — you're paying for abstraction you'll outgrow

The move: Ship with Pipedream Connect in weeks. Begin CASA process immediately. Migrate to Nango once you have traction and the compliance runway.

The Vendor Gauntlet: 17 Providers, Evaluated

I looked at everything. Here's the full evaluation matrix — the highlighted rows (Nango and Pipedream Connect) are the survivors; the rest are kept as a decision log.

Provider	Managed OAuth?	Background Sync?	Write-back?	White-label?	Consumer?	Admin Bypass?	Pricing	Key Limitations
Merge	Yes (embed UI)	Yes (you implement)	Yes	Partial	Yes	Partial	$650/mo for 10 accounts, $65 each after	File storage connectors show beta status; per-account pricing scales painfully
Unified.to	Yes (embedded auth)	Yes (real-time API)	Yes (read+write)	Yes (CNAME)	Yes	Partial	$750+/mo; $1/1K API overage	Expensive for just Drive + OneDrive; still subject to Google/MS permission realities
Apideck	Partial (sandbox apps; BYO for production)	Yes	Yes (push+pull)	Yes (Vault UI)	Yes	No	$599/mo Launch; $1,299/mo Scale	Over budget; managed auth not a magic CASA exemption in production
Truto	Yes (Connect UI + sync)	Yes (5-min intervals)	Yes	Yes (enterprise tier)	Yes	Partial	$999/connector/yr+	Requires ≥10 connectors; pricing clashes with budget
Pipedream Connect	Yes (Pipedream OAuth + token store)	Yes (via API proxy + crawler)	Yes	Partial (consent shows Pipedream)	Yes	Partial	~$99–150/mo + $2/user; credits	Proxy requests consume credits; dev mode has friction
Uploadcare	Yes (custom OAuth available)	No (picker model)	No	Yes (Business plan)	Yes	N/A	Pro $66/mo; overages $0.50/1K ops	Frontend picker only — no background sync or write-back
Filestack	Yes (many sources; BYO for OneDrive Business)	No	No	Paid add-on	Yes	Weak	Start $69/mo; white-label $49/mo extra	No background sync; OneDrive Business can force custom auth
Uppy + Transloadit	No (BYO keys via Companion)	No	No	Yes	Yes	No	Transloadit from $45/mo	Still your OAuth app → still CASA/admin consent realities; uploader, not connector
Nango	No (BYO OAuth app)	Yes (token mgmt + you run sync)	Yes	Yes	Yes (after verification)	No	Cloud Starter $50/mo for 20 connections	Cheapest real connector building block, but doesn't remove CASA
Composio	Yes (delegated auth)	Limited	Yes (actions)	Unclear	Yes	No	$0 (20K calls) / $29 (200K) / $229 (2M)	Agent-style actions, not high-volume file sync with delta history
n8n	Cloud: yes; self-host: no	Yes (workflow polling)	Yes	No	Yes	No	Cloud starter 20€/mo	Internal automation glue; awkward to embed as SaaS connectors
StackOne	No (BYO)	Unclear	Unclear	Partial	Unclear	No	Not clearly public	Not purpose-built for bulk file storage sync
Paragon	"Managed auth" but Drive sync requires your OAuth scopes	Yes	Yes	Yes	Yes	No	Contact sales	Doesn't remove CASA if you must request `drive.readonly`
Panora	No (project sunset)	N/A	N/A	N/A	N/A	N/A	N/A	OSS discontinued; not a production choice
hotglue	BYO OAuth apps	Yes (background jobs)	Yes	Partial	Yes	No	Not public	Doesn't remove Google/MS permission gates
Pathfix	No (your app must pass provider requirements)	Yes (proxy + you write sync)	Yes	Yes	Yes	No	Varies	Explicitly calls out Google/MS hoops — not a bypass
Knit	Yes (auth component)	Yes (scheduled sync)	Yes	Partial (higher tier)	Yes	Partial	$499/mo Start Up	Barely below $500/mo; not "just Drive + OneDrive cheap"

Survivors: Nango and Pipedream Connect. Everything else was either too expensive, too limited, or solving a different problem.

OAuth Scopes: Where Dreams Go to Die

This is the section that will save you the most time. Trust me.

Google Drive — The Restricted Scope Trap

Scope	What it does	The catch
`drive.readonly`	Read all files	Restricted — CASA audit required
`drive`	Read + write all files	Restricted — CASA audit required
`drive.file`	Only files your app created	No CASA needed... but useless for sync

See the problem? The one scope that doesn't require compliance review (drive.file) can only access files your app created. It cannot enumerate or read existing user files. You literally cannot build a file sync product with it.

Every production Drive sync implementation requires restricted scopes. There is no workaround. CASA is not optional — it's a toll road with no side streets.

Scope	What it does	The catch
`Files.Read.All`	Read all user-accessible files	High-privilege — often requires admin consent
`Sites.Read.All`	Read all SharePoint sites	High-privilege — often requires admin consent
`Files.ReadWrite.All`	Full file read/write	Required for write-back

Microsoft's *.All scopes trigger admin consent prompts in most tenant configurations. Your users will hit a screen that says "This app needs admin approval" — and unless they are the admin, that's a dead end.

The silver lining: Microsoft's compliance process is lighter. Publisher verification through MPN, a blue badge, done. Selected permissions can help narrow scope. No annual audit.

The CASA Gauntlet

Google's Cloud Application Security Assessment. Annual. Mandatory for restricted scopes. Here's what you're signing up for:

Phase	Duration	What happens
Trust & Safety review	2–6 weeks	Google reviews your app listing, privacy policy, recorded demo, and scope justification
CASA Tier 2 assessment	1–3 weeks	A third-party security lab audits your app against OWASP-derived criteria (~$540 via TAC Security)
Final approval	1–2 weeks	Green light (or back to square one)
Total	4–11 weeks	And it renews every year

Minimum product controls (verification friction reducers):

Least-privilege scopes with clear justification (why read-all; why write)
Encryption at rest for tokens + files; secret management; audit logging; delete/export flows
Vulnerability scanning evidence (SAST/DAST/SCA) + remediation process

Compare that to Microsoft:

Phase	Duration
MPN registration	1–2 weeks
Badge propagation	1–2 weeks
Total	2–4 weeks, one-time

Google makes you earn it every year. Microsoft trusts you after the first date. Make of that what you will.

Four Architecture Patterns

Every implementation I've seen (or built, or considered building) maps to one of these four patterns. The diagrams tell the story.

Pattern 1 — The Quick Import (Frontend Picker + Server Transfer)

For when you just need files once — no ongoing sync, no delta tracking. A picker widget (Uploadcare, Filestack), a webhook, done.

Simple. The vendor handles OAuth, fetches files server-to-server, drops them in your bucket. But there's no background sync, no delta tracking, and no write-back. This is a one-way import, not a sync engine.

Pattern 2 — The Managed Middle Ground (Vendor OAuth + Background Crawler)

This is the Pipedream Connect path. You get managed OAuth and ongoing sync capability without building token management from scratch.

The vendor handles tokens. You handle sync logic — cron jobs or queue workers calling their unified API to list files, download content, and push write-backs. You're trading some control (and white-label purity) for speed to production.

Pattern 3 — The Full Monty (BYO OAuth + Nango Token Vault + Background Crawler)

The long-term architecture. You own everything: OAuth apps, token management (via Nango or custom), sync workers, conflict resolution. Maximum control. Maximum effort.

Your workers hit Google's changes.list and Microsoft's delta endpoints directly. You control retry logic, rate limiting, conflict resolution, and exactly how write-backs propagate. This is what you migrate to after Pipedream proves the market.

Pattern 4 — The Enterprise Express (Admin-Granted Flows)

The B2B path. An IT admin grants access once, your backend syncs everything silently. No per-user consent, no CASA, no friction.

This is the path where compliance and user friction simply... vanish. The trade-off is that someone with admin access has to say yes first.

The Rollout Playbook

Enterprise (B2B) — Ship in 2–3 Weeks

Architecture: Pattern 4
Compliance: None required — DWD and Application Permissions bypass CASA entirely
Timeline: 2–3 weeks if you already have a backend and job queue infrastructure
Risk: Low — the admin consent model is well-understood and battle-tested

Consumer (Self-Serve) — Ship Fast, Then Own It

Phase 1 (Near-term): Option C — Pipedream Connect, Pattern 2

Ship in 2–3 weeks
Start CASA process on day one (it runs in the background while you ship)
Accept Pipedream's branding on consent screens temporarily

Phase 2 (Long-term): Option A — Nango, Pattern 3

Migrate once you have product-market fit and the CASA approval
Full white-label, lower cost at scale
Plan 10–15 weeks of engineering effort

Questions for the Business Team

Before writing a single line of integration code, four questions need answers. These aren't technical decisions — they're business decisions that determine the technical path:

Self-serve or IT-admin install? This is the fork in the road. Both is fine, but build one first. Many B2B products start with admin install (faster, no CASA) and add self-serve later.
Speed to market vs. white-label purity? Pipedream gets you live in weeks. Your consent screens say "Pipedream" instead of your brand. Is that acceptable for V1? (It usually is.)
Expected data volumes? A 10-user pilot and a 10,000-seat enterprise have very different infrastructure needs. Delta sync strategies, storage costs, and rate limits all scale differently. Know your target.
Sales fallback if self-serve stalls? If consumer adoption is slow, can the product pivot to sales-led B2B? Having Pattern 4 ready as a fallback can derisk the entire launch. Build the admin flow even if you don't lead with it.

Parting Thoughts

I started this research thinking I'd find a clean vendor that "just handles" cloud storage sync. I ended it understanding why that vendor doesn't exist — and why the problem space is more constrained than it appears.

The constraints are real. Google's restricted scope policy isn't going away. Microsoft's admin consent wall isn't going away. CASA renewals are annual. But the problem is solvable, and the paths above have been pressure-tested against real production requirements.

Pick the path that matches your current stage, not your aspirational one. Ship with Pipedream if you need to be live next month. Plan the Nango migration for when you've proven the market cares. And if you're selling to enterprises — Pattern 4 is right there, waiting for an IT admin to click "Approve."

Good luck out there. Your OAuth tokens are going to expire at the worst possible time. They always do.